Subprocessors
The trusted service providers we use to deliver ConsentX.
Last updated 1 June 2026. ConsentX uses a small, carefully chosen set of subprocessors to run our infrastructure and communicate with customers. Each is bound by contract to protect personal data with safeguards no less protective than those in our Data Processing Addendum.
What a subprocessor is
A subprocessor is a third party that ConsentX engages to process personal data on our behalf in order to deliver our service. ConsentX acts as a processor of the personal data our customers entrust to us, and our subprocessors act as further processors under our instructions. Each subprocessor is engaged under a written contract that imposes data protection obligations consistent with those we owe to our customers, including confidentiality, security, and assistance with data subject rights.
Current subprocessors
The table below lists our current subprocessors, the purpose for which each is engaged, the region in which processing primarily takes place, and the legal mechanism that protects any transfer of personal data outside the European Economic Area or the United Kingdom.
| Subprocessor | Purpose | Location / Region | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services | Hosting and compute for the ConsentX application and consent data store | India (ap-south-1, Mumbai) | Primary processing remains intra-region in India; Standard Contractual Clauses apply where any onward transfer occurs |
| Cloudflare | CDN, DNS, WAF, and DDoS protection | Global edge network | Standard Contractual Clauses with UK Addendum; EU-US Data Privacy Framework where certified |
| Vercel | Hosting for the ConsentX marketing website | United States / Global | Standard Contractual Clauses with UK Addendum; EU-US Data Privacy Framework where certified |
| Stripe | Billing and payments | United States and Ireland | Standard Contractual Clauses with UK Addendum; EU-US Data Privacy Framework where certified |
| Mailjet by Sinch | Transactional email | European Union | Intra-EEA processing; no transfer outside the EEA required for this service |
Transfer safeguards
Where personal data is transferred outside the European Economic Area or the United Kingdom, ConsentX relies on the European Commission Standard Contractual Clauses, supplemented by the United Kingdom International Data Transfer Addendum, and on the EU-US Data Privacy Framework where the receiving organisation is certified under it. The primary ConsentX application and consent data store are hosted in the AWS Asia Pacific Mumbai region in India, so customer consent records are processed in India by default.
General authorisation and notice of changes
By entering into our Data Processing Addendum, customers provide a general authorisation for ConsentX to engage the subprocessors listed on this page. Before we add a new subprocessor or replace an existing one in a way that affects the processing of customer personal data, we will update this page and, for customers who have subscribed, send advance notice of the change.
Customers have the right to object to a new subprocessor on reasonable data protection grounds, as set out in the Data Processing Addendum. If you raise a reasonable objection that we cannot resolve, you may exercise the remedies described in the Addendum.
Stay notified of changes. Customers can subscribe to subprocessor change notifications so you hear about new providers before they take effect. Email privacy@consentx.io to be added to the notification list.